Compliance roadmap
What we're compliant with today. What we're certifying next.
We publish the roadmap explicitly so your security and procurement teams can plan around it. Specific commitments, specific dates, no vague "enterprise-grade" language.
Live now
GDPR + UK GDPR + CCPA/CPRA posture
Documented lawful bases per data category (Privacy Policy §3), Article 28 DPA with Module Two SCCs for EU transfers, Article 32 security measures, Arts. 33/34 breach notification commitment.
Read the DPAESIGN Act + UETA
Legally binding electronic signatures on native GoBrief contracts. Signature captures IP hash, user-agent, timestamp, and cryptographic audit trail.
Tamper-evident audit log (hash chain)
Every activity row is SHA-256 chained to the previous within an org. Public verification endpoint at /api/admin/audit-log/verify lets an outside auditor confirm integrity without seeing contents.
How it worksPublished open brief format (CC0)
Machine-readable schema at /.well-known/gobrief-spec.json. Verification API at /api/spec/verify. Portability built into the category.
View the specIncident response runbook
Documented internally, reviewed annually. 72-hour breach notification commitment to controllers (GDPR Art. 33 alignment).
In flight
SOC 2 Type I
Scoping underway with an AICPA-licensed CPA firm. Observation window begins once controls are documented + operating. Target report publication: Q3 2026.
First external penetration test
Scheduled to be run by a CREST-accredited firm on the production stack before SOC 2 Type I observation ends. Executive summary will be published here; full report available under NDA to customers and prospects.
Chain-root commitment to OpenTimestamps
We'll anchor the per-org audit-log chain root to a public timestamping service weekly. This means any customer (or auditor) can later prove the chain head at a given moment was committed before a date, without trusting GoBrief.
Committed, later
SOC 2 Type II
12-month observation window on the Type I controls. Target report publication: 2027.
HIPAA BAA (Enterprise)
Available on Enterprise plan after scoping review for customers who need to handle PHI in creative briefs (healthcare marketing, pharma launches, medical education).
ISO/IEC 27001
Evaluated once SOC 2 Type II is in good standing. Decision point: whether international customer demand justifies the additional certification cost.
Public bug-bounty program
Paid program through a managed platform (HackerOne or Intigriti) after SOC 2 Type I ships. Today: vulnerability disclosure via security@gobrief.co with public credit on the Security page.
How we stay honest about this
- Every certification milestone publishes its certifying firm + audit period here. No generic "we're SOC 2 compliant" language.
- Pentest executive summaries are public. Full reports under NDA.
- Breach notification is contractual, not aspirational. Written into the DPA at 72 hours.
- The audit-log verification endpoint is real and public-endpoint-callable. Any customer can ask for a sample verification during a trial.
Enterprise compliance questionnaire
Send yours. We'll fill it out in full within 5 business days.
CAIQ, SIG, custom security questionnaires, and standard vendor-review templates all welcome. Email the document to security@gobrief.co.